How to prevent phishing attacks in Microsoft Outlook and Office 365: 3 methods

Phishing attacks are a major source of worry for businesses. Here are a few tips on keeping malicious messages out of your users' inboxes and minimizing the risk when they make it there.

Video: How to protect your employees from phishing and pretexting attacksEverything in an email can be faked. Hackers and cybercriminals rely on identity deception to fool employees. Agari Field CTO John Wilson explains how to restore trust to the inbox.

Hacking is hard work. That may explain why so many would-be cybercriminals turn to phishing. It's easy, you can hit lots of people at once, and even one response in a thousand could net you a huge return.

Security firm Wombat reports (registration required) that 76.5% of infosec professionals said they had to deal with phishing fallout in 2016—that's a lot of people letting a lot of credentials fall into the wrong hands.

Phishing, by its definition, involves sending emails, most of which contain links to malicious sites that either directly install malware or mimic the login pages of reputable and well-known sites.

Hackers aren't going to stop phishing anytime soon, so infosec professionals need to take matters into their own hands. The best way to do that is by either blocking phishing emails from getting through or by disabling hyperlinks in emails.

Here are a few steps to do just that in Outlook and Office 365.

Option 1: Rely on Microsoft's junk mail filter

Outlook's junk mail filter is reportedly able to distinguish between spam, phishing, and legitimate emails and filter them accordingly, even disabling hyperlinks and the ability to reply to a message.

While this is a great feature in both the 2013 and 2016 version of Outlook it still has its holes, just like any automated filter. The best way to make it effective is to specify junk mail criteria at the Exchange server level and push those rules out using Cached Exchange Mode or via PSTs stored server-side.

Setting junk mail filters at the server level will allow administrators to specify any specific senders, any top-level domains, or even text encoding to block. Emails blocked by the junk mail filter in this way will be sent to the Exchange server's junk mail folder and users won't even see them.

Using the junk mail filter will never be foolproof, so use this method alone at your own risk.

Option 2: Disable email hyperlinks using group policy

The most effective method of eliminating phishing attempts is also the most heavy handed: Killing all email hyperlinks. By disabling any links in emails you're completely cutting off an attacker's ability to accomplish their goal: burying a false URL behind a bit of text or a legitimate looking website won't do much if it shows up in plain text.

Keep in mind this will also kill legitimate links as well—users will have to either paste full URLs into email to be copied and pasted or simply share links in another way. Anyone doing this should be sure they get the okay from C-level decision makers: It's a huge change that may be great for security but a hassle for users.

Microsoft's website contains lots of information on how to do this for Office 2013, but not for 2016. You can download Office administrative templates for both Office 2013 and Office 2016 using similar formats and instructions but I was unable to find definitive steps for 2016.

Unless Microsoft has drastically changed the locations of Office group policy objects and registry keys, the image below, which represents the location of the object and key for Office 2013, should be similar in 2016.

Option 3: Enable Advanced Threat Protection safe links for Office 365

Managing Office 365 is a bit different from managing a typical Office installation—and that includes enabling reliable spam and phishing filtering.

Microsoft offers what it calls Advanced Threat Protection (ATP) as an upgrade to an Office 365 subscription. One of the components of ATP is safe links, a series of filters that are applied to a message before it is sent to the recipient's inbox and after it is opened.

ATP safe links is essentially a souped-up, cloud-based version of Outlook's junk mail filter, and rules can be applied at the individual, group, or organizational level.

When applied, ATP safe links runs incoming emails (when they contain hyperlinks) through IP and envelope filters, signature-based anti-malware scans, and anti-spam filters. If found to be safe the message is sent on to the recipient.

Once opened, safe links runs a check on links in the body to see if they match organizationally blocked URLs or known bad sites. It also scans any files that are downloaded via email links.

Don't forget to educate your users

For every weapon developed to counter spammers, hackers, and phishers, one of them comes up with a way to circumvent it. That said, it's entirely possible—if not probable—that a phishing attempt will make it past your filters someday.

The best filters and software are no match for good user education. Never miss an opportunity for teachable moments and it's not a bad idea to send out regularly scheduled security newsletters company wide that hit on important tips and things to watch out for.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays